Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
3
Helpful
7
Replies

S2S VPN in Cisco FTD managed by FMC

thuthon
Level 1
Level 1

‎06-05-2023 12:42 AM

Hi,

Trying to establish a S2S VPN connection from FTD to Azure. The connection is up and the encrypted and decrypted packet count keeps increasing, but the Azure side is not receiving traffic. Packet trace shows its hitting the IPSec ACL and hitting the right NAT exempt rule. Packet capture on the inside interface shows the traffic coming in from Azure side and return traffic from the protected server address. The only weird thing is when doing a packet capture on the outside interface I can see interesting traffic being sent on the outside interface with Azure side destination address and Outside interface as the source. Should I be seeing that if the traffic is going through the tunnel?

Thanks

Labels:
7 Replies 7

MHM Cisco World
VIP
VIP

‎06-05-2023 01:00 AM

encrypt <<- meaning your traffic is pass the interface you config crypto map under it 
decrypt <<- meaning your FTD success receive the traffic from Azure and IPsec success handle these traffic 

are you see both encrypt and decrypt under same IPsec SA ? i.e. under the same IPsec toward remote Peer Azure are you see encrypt and decrypt count increase ?
if Yes 
then check if there is FW Infront of your FTD that drop the packet 
if NO 
check if the traffic gone to wrong Peer 

0 Helpful

thuthon
Level 1
Level 1
In response to MHM Cisco World

‎06-05-2023 01:41 AM

Hi MHM,

I am seeing encrypt and decrypt under the correct IPSec SA and there is no firewall past the FTD.

Should I be seeing traffic originating from the outside Interface to the Azure server that is meant to be encrypted? I have never checked it before but I would think that I should not be able to see it if it’s getting encrypted.

thanks,

MHM Cisco World
VIP
VIP
In response to thuthon

‎06-05-2023 02:06 AM

even if it encrypt it use UDP/500 or UDP/4500

what inside packet no matter we need to full check that traffic go out form OUTside to Azure

0 Helpful

thuthon
Level 1
Level 1
In response to MHM Cisco World

‎06-05-2023 03:22 AM

I am seeing tcp/80, tcp/8080 and ICMP traffic 

MHM Cisco World
VIP
VIP
In response to thuthon

‎06-05-2023 05:46 AM

you capture in FTD side or the Azure side?

0 Helpful

thuthon
Level 1
Level 1
In response to MHM Cisco World

‎06-05-2023 06:48 AM

On the FTD side. Packet capture on the outside interface shows traffic from with the VPN gateway address as the source and the destination address as azure side protected server address 

0 Helpful

MHM Cisco World
VIP
VIP
In response to thuthon

‎06-05-2023 07:38 AM - edited ‎06-05-2023 09:22 AM

Screenshot (507).png
can you confirm the above 
can I see show crypto ipsec sa ?

0 Helpful
Customers Also Viewed These Support Documents